Tag Archives: Computer network security

We’re Not in the Business of Understanding our User

Za-tray2

A few years ago I wrote about sometimes your product is useful to people in ways you didn’t know—and that you’d be smart to recognise that and capitalize on itn (What Your Product Does You Might Not Know About, 2007).

One of the examples I cited was ZoneAlarm, a very popular firewall that was bought by Check Point. The point I made with their product was how useful the Windows system tray icon was in that it doubled as a network activity monitor. The logo, in short, would switch to a twin gauge when there was traffic. Really useful: it wasn’t directly related to the actual function of the firewall, but for most people that’s academic. If the firewall’s up and running and traffic is showing through it, everything must be good.

The dual-purpose icon was a confidence-boosting measure, a symbol that the purpose of the product—to keep the network safe—was actually being fulfilled.

Not any more. A message on the ZoneAlarm User Community forum indicates that as of March this year the icon will not double as a network monitor. In response to questions from users a moderator wrote:

Its not going to be fixed in fact its going to be removed from up comming [sic] ZA version 10
So this will be a non issue going forward.
ZoneAlarm is not in the buiness [sic] of showing internet activity.
Forum Moderator

So there you have it. A spellchecker-challenged moderator tells it as it is. Zone Alarm is now just another firewall, with nothing to differentiate it and nothing to offer the user who’s not sure whether everything is good in Internet-land. Somebody who didn’t understand the product and the user saved a few bucks by cutting the one feature that made a difference to the user.

Check Point hasn’t covered itself in glory, it has to be said. I reckon one can directly connect the fall in interest in their product with the purchase by Check Point of Zone Labs in December 2003 (for $200 million). Here’s what a graph of search volume looks like for zonealarm since the time of the purchase. Impressive, eh?

image

Of course, this also has something to do with the introduction of Windows’ own firewall, which came out with XP SP2 in, er, 2004. So good timing for Zone Labs but not so great for Check Point.

Which is why they should have figured out that the one thing that separated Zone Alarm from other firewalls was the dual purpose icon. So yes, you are in the business of showing Internet activity. Or were.

(PS Another gripe: I tried the Pro version on trial and found that as soon as the trial was over, the firewall closed down. It didn’t revert to the free version; it just left my computer unprotected. “Your computer is unprotected,” it said. Thanks a bunch!)

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”

links for 2008-09-15

Mapping Trends With Google

Google’s new Trends search is a lot of fun, and useful too. See how some things have taken off over the past couple of years, like Web 2.0:

Gwebtwo

and Wikipedia (the lower graph is for volume of related pieces on Google News, the upper for ordinary Search):

Gwiki

while others, such as WiMax, are more gradual:

Gwimax

Interest in others, meanwhile, seems to have peaked. 2005, for example, seems to have been RSS’ year:

Grss

whereas folk started to get less obsessed about spam in 2004:

Gspam

Some terms just seem to have leapt out of nowhere, such as “botnet”:

Gbotnet

while almost the whole history of interest in others, like phishing, are captured in the three and a half years covered by Google Trends:

Gphish

When Chatbots Go Bad

Richard Wallace of the A.L.I.C.E. AI Foundation, Inc. and creator of the Alice chatbot says his creation (sorry, can’t find a permalink) may have been lured to the dark side:

I have received a multitude of emails recently from subscribers to MSN Instant Messenger services, from people who have chatted with a clone of ALICE on their system who have suspected that this clone is downloading spyware onto their machines. The threat of malicious bots releasing viral software has appeared before, but this is the most serious incident so far. Like many clones of ALICE, this one appears to contain the basic AIML content containing my email address and references to the A. I. Foundation, which of course has nothing to with malicious software. But it directs people to complain to me.

New Scientist quotes Richard as saying that “this is insidious because compared to other bots, she does the best job of convincing people that she is a real person.” I’m not quite clear as to how this happens, but it would appear that anyone chatting with these Rogue Alices would be infected with spyware via MSN chat.

If so, is this the start of something? As chatbots get better, can we expect them to spread through every online social tool, infecting us with their sleaze and reducing our trust levels to zero.

Microsoft’s Spyware Gate

Microsoft have launched a new version of their Antispyware application, now rebuilt and renamed Windows Defender. Initial reports are favorable, including Paul Thurrott, who is good on these kind of things:

Windows Defender Beta 2 combines the best-of-breed spyware detection and removal functionality from the old Giant Antispyware product and turns it into a stellar application that all Windows users should immediately download and install. Lightweight, effective, and unobtrusive, Windows Defender is anti-spyware done right, and I still consider this to be the best anti-spyware solution on the market. Highly recommended.

Expect this program to become part of the next Windows operating system, meaning that spyware is going to be kept out of most computers by default. This is a good thing. What is less good is that it lets Microsoft decide what is and what isn’t spyware, giving them one more gate to control. Also, spare a thought for all the companies that have been selling antispyware software for the past few years; I can’t see many of them surviving past Windows Vista.

Why Hasn’t China Cracked Down on Its Rainmen?

Another mainstream media look at the alleged “Titan Rain” cyberwar strategy of the Chinese, where organised, highly disciplined and experienced gangs ferret around in Western computers. This one is from today’s Guardian Unlimited — Smash and grab, the hi-tech way:

Sources involved in tracking down the gang say the Chinese group is just one of a number of organised groups around the world that are involved in a hi-tech crime wave, some working for governments, others highly organised criminal gangs. “We have seen three attacks a day from this group in the past week and there are a lot of other groups out there,” said the source. “You could say that the iceberg is now in view.”

That said, it seems clear that this kind of thing has some government sanction:

Privately, UK civil servants familiar with NISCC’s investigation agree that the attacks on the UK and US are coming from China. This almost certainly means some state sanction or involvement – perhaps even a “shopping list” of requirements. Some of the attacks have been aimed at parts of the UK government dealing with human rights issues – “a very odd target”, according to one UK security source.

The point is that Internet activity is heavily circumscribed in China:

There is another, more compelling reason. “Hacking in China carries the death penalty,” says Professor Neil Barrett, of the Royal Military College at Shrivenham. “You also have to sign on with the police if you want to use the internet. And then there is the Great Firewall of China, which lets very little through – and lets [the Chinese government] know exactly what is happening.” The internet traffic to the UK, and its origin, would all be visible to the Chinese government. Finding the culprits would, in theory, be a simple process.

So why are they still out there, and why can we narrow down their workplace to a single province?

When Firewalls Move

Here’s the details on the Zone Alarm deal I promised a couple of days back:

Effective immediately, Sygate and Kerio users switching to ZoneAlarm Pro will receive a $20 instant rebate, over 40% off the retail price of $49.95. “A firewall is the most essential, fundamental element of protection against hackers,” said Laura Yecies, general manager of Zone Labs and vice president at Check Point. “Innovation in firewall development is critical, because threats are dynamic and ever-changing. Consumers must seek a solution that is not only vendor-supported but has new features added regularly to protect against novel attack strategies.”

Of course, there’s still the free version.

And here’s details of the purchase by Sunbelt Software of Kerio:

Sunbelt Software and Kerio Technologies Inc. today announced that the parties have signed an agreement for Sunbelt to acquire the Kerio Personal Firewall. The acquisition is expected to be finalized by the end of the month.

The Kerio Personal Firewall will be re-branded on an interim basis as the “Sunbelt Kerio Personal Firewall”. All existing customers of the Kerio Personal Firewall will be able to receive support through Sunbelt once the acquisition is completed.

Upon the close of the deal, Sunbelt will also announce new reduced pricing for the full version of the product and a variety of special offers for both Kerio and Sunbelt customers. Additionally, Sunbelt will continue Kerio’s tradition of providing a basic free version for home users.

Zone Labs to Offer Sygate, Kerio Users a Deal

From a press release emailed to me by Zone Labs, makers of Zone Alarm:

The personal firewall market is currently undergoing a major shift, with Symantec set to retire the Sygate line of personal firewalls tomorrow (including the free version and Sygate Pro), and Kerio discontinuing its personal firewall at the end of December to pursue an enterprise strategy. […] In order to help consumers affected by recent events, Zone Labs will be announcing a new promotion to Sygate and Kerio users later this week to ensure that consumers have essential firewall protection available at an affordable price.

Not clear what kind of offer yet, but I’ll let you know.